[messaging] abusing u2f
Tom Ritter
tom at ritter.vg
Wed Mar 23 18:37:55 PDT 2016
On 23 March 2016 at 19:36, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On Wed 2016-03-23 15:27:06 -0400, Tom Ritter wrote:
>> The strategy I want to see someone POC is using secure enclaves for
>> this. Either SIM cards (specifically a dual-SIM phone combined with
>> SEEK for Android) or Android's new 'Trusty' API. Write a javacard or
>> whatever 'applet' that lives in the Secure Enclave. It enforces '10
>> wrong attempts, and I delete the key'. This mimics iOS's Secure
>> Enclave but now we have it on a per-app basis.
>
> In this case, the enforcement needs to be done inside an applet that
> cannot be backed up and restored, right? Does a SIM card meet that
> promise? (disclaimer: i know nothing about SIM cards, feel free to
> point me at the relevant reading)
Yes - that's correct. The SIM is acting as a tiny little inexpensive
hardware security module that's difficult to restore/tamper/etc. I'm
sure it's possible, but it would up the game.
-tom
More information about the Messaging
mailing list